Nat Hairpin in Router OS 7.1.1

kohral · December 25, 2021, 6:42pm

After upgrade CCR1009-7G-1C-1S+ from 6.49.2 to 7.1.1 Nat Hairpin stopped working (Downgrading to 6.49.2 make it works again) . All firewall rules and other setting are same in 7.1.1. What wrong with configuration? Thanks.
firewall.rsc (4.58 KB)

Sob · December 25, 2021, 7:03pm

You have unconditional masquerade rule that affects any connection through router, and that covers what harpin NAT needs, so there’s no reason why it wouldn’t work.

As for what’s otherwise wrong with your configuration, if this is your whole firewall, it’s completely useless, because it allows pretty much everything, all connections through router and to router itself.

Jotne · December 25, 2021, 7:24pm

In nat, you do not need to specify to-port while its equal to dst-port

add action=dst-nat chain=dstnat dst-address=217.72.x.xxx dst-port=80  protocol=tcp to-addresses=192.168.29.174 to-ports=80

could be written:

add action=dst-nat chain=dstnat dst-address=217.72.x.xxx dst-port=80  protocol=tcp to-addresses=192.168.29.174

Last firewall rule should be “Drop all that is not allowed above”
My last rule:

add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." \
    in-interface=ether1 log=yes log-prefix=FI_D_port-test

Do you need to have port 22 open? I would have use a random high port and mapped it to 22. So SSH to f.eks 45022 point to 22.
Prevents all SSH scanners from see the SSH port. (used as one of many security measure)

You should also remove serial number and public ip from your post.

jurek1g · December 28, 2021, 5:28pm

My nat
add action=masquerade chain=srcnat
after upgrading to 7.1.1 it also did not work, even if I turn off the whole firawall. After downgrading to 6.49.2 everything works.

chuk87 · January 8, 2022, 1:45pm

chuk87 · January 8, 2022, 8:47pm

exactly the same situation

johnpaul24 · January 17, 2022, 12:40am

exactly the same situation

anav · January 17, 2022, 4:00pm

As noted by sob,
add action=masquerade chain=srcnat is NOT correct!

Is unconditional…]
You need
add action=masquerade chain=srcnat out-interface=ether1 or out-interface-list=WAN (for dynamic wanip)

By the way if your WANIP is static fixed… the proper format is not masquerade
add action=src-nat chain=src nat to-address=fixedWANIP out-interface=ether1

johnpaul24 · January 18, 2022, 3:26am

this is my configuration running on 6.49.2
action=masquerade chain=srcnat comment=“hairpin nat” dst-address=!192.xxx.xxx.1 log-prefix=hairping src-address=192.xxx.xxx.0/24

Following your suggestion and modified by this:
action=masquerade chain=srcnat comment=“hairpin nat” dst-address=!192.xxx.xxx.1 log-prefix=hairping out-interface=ether1 src-address=192.xxx.xxx.0/24

but it still doesn’t work for me in 7.1

johnpaul24 · January 18, 2022, 3:39am

I have these records in the log:

harping srcnat: in:(unknown 0) out:bridge, proto UDP, 192.xxx.xxx.xxx:1900->192.xxx.xxx.xxx:23xx, len 275

Sob · January 18, 2022, 3:43am

Let me guess, first xxx is 168 and second xxx is between 0 and 255. Seriously, it’s private subnet, not unique, millions of people have the same, there’s no point masking it.

As for NATs, out-interface=WAN is obviously nonsense for hairpin NAT, because there the outgoing interface is LAN. The out-interface=WAN is for main NAT, for connections from LAN to internet. Hairpin NAT is usually src-address= dst-address=. But yours works too. In fact, without out-interface it can be dual-use rule for both LAN->internet and hairpin LAN->LAN. And there’s no reason why it shouldn’t work in v7. Post whole config, there should be some explanation for it.

anav · January 18, 2022, 3:26pm

Well your hairpin attempt is wrong.
this is my configuration running on 6.49.2
action=masquerade chain=srcnat comment=“hairpin nat” dst-address=!192.xxx.xxx.1 log-prefix=hairping src-address=192.xxx.xxx.0/24

(Remove that stupid symbol/syntax 0 both source and destination address are identical (aka the one the server and users are both on)

And yes protecting a private IP is rather amusing…

VarTok · January 21, 2022, 7:52pm

It looks like something has changed in os version 7 that has srcnat masqurade fail for several people.

Sob · January 23, 2022, 10:06pm

While not completely impossible, it’s very very unlikely. It’s basic srcnat, almost everyone uses that. If there was something wrong with it, it wouldn’t be just few people who would notice.

kusmierz · February 13, 2022, 10:02pm

It seems there are more of us, as for example me. For 99% it’s not my fault (but unfortunately I can’t test it on 6.x, as there is no such version for RB5009).

# feb/13/2022 23:16:41 by RouterOS 7.1.2
# model = RB5009UG+S+
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="www" dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
add action=masquerade chain=srcnat comment=HairpinNat dst-address=!192.168.144.1 src-address=192.168.144.0/24

/ip firewall filter
add action=accept chain=forward comment="Allow forward traffic for connection already established/related" connection-state=established,related
add action=accept chain=forward comment="Allow forward traffic for connection from LAN" connection-state=!invalid in-interface-list=LAN out-interface-list=WAN src-address=192.168.144.0/24
add action=accept chain=forward comment="Allow forward traffic for port redirections and DMZ" connection-nat-state=dstnat
add action=drop chain=forward comment="Deny rest of forward traffic"
add action=accept chain=output comment="Allow output traffic"
add action=accept chain=input comment="Allow input traffic for connection already established/related" connection-state=established,related
add action=accept chain=input comment="Allow ICMP ping requests" icmp-options=8:0 protocol=icmp
add action=accept chain=input comment="Allow ICMP messages about too big packet size (fragmentation required)" icmp-options=3:4 protocol=icmp
add action=accept chain=input comment="Allow init connection to winbox service on LAN" connection-state=new dst-address=192.168.144.1 dst-port=8291,22,80 in-interface-list=LAN protocol=tcp src-address=192.168.144.0/24
add action=accept chain=input comment="Allow requests to DNS service from LAN" connection-state=new dst-address=192.168.144.1 dst-port=53 in-interface-list=LAN protocol=udp src-address=192.168.144.0/24
add action=drop chain=input comment="Deny rest of input traffic"

anav · February 14, 2022, 12:24pm

Not that it may make a difference but worth a shot… change order and modify the rule…

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“www” dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
add action=masquerade chain=srcnat comment=HairpinNat dst-address=!192.168.144.1 src-address=192.168.144.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNat dst-address=192.168.144.0/24 src-address=192.168.144.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“www” dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80

kusmierz · February 14, 2022, 1:00pm

I’ve moved my problem here - http://forum.mikrotik.com/t/hairpin-issue-rb5009-on-7-1/155818/5 to be 100% sure it’s not the configuration issue.